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ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 


of access? 
xX Yes 
No 
Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


Q2 Does the draft guidance contain the right level of detail? 


K Yes 
No 


Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


Q3 Does the draft guidance contain enough examples? 


Yes 
No 


Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 


Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O O O O 


Q6 Why have you given this score? 


The draft guidance is relevant to my role, but I’ve only recorded a return of ‘very useful’ 
as the draft merely reflects my current understanding of the obligations place on 
organisations and subject access rights of individuals. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
0O 0O 0O 0O 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


I have added comments as an additional page, at the end, as this textbox is too 
small. 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


HM Treasury 


What sector are you from: 


Central Government 


Q10 How did you find out about this survey? 


O ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 
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Thank you for taking the time to complete the survey. 


ICO consultation on the draft right of access guidance 
Additional Comments 


Page 4: Are individuals only entitled to their own personal data? 

Under the right of access, an individual is only entitled to their own personal data. 
They are not entitled to information relating to other people (unless their data also 
relates to other individuals). Before you can respond to a SAR, you need to decide 
whether the information you hold is personal data and, if so, who it belerngs relates 
to. 


Comment: To say, ‘belongs to’ might be misunderstood to suggest you mean who 
‘owns’ the personal data (i.e. data controller) and not the data subject. I think 
‘relates to’ makes this clearer. 


Page 15: Can we deal with a request in our normal course of business? 

It is important to draw a practical distinction between formal requests for information 
and routine correspondence that you can deal with in the normal course of business. 
For example, if an individual requests copies of letters which you have sent to them 
previously, it is unlikely that you need to deal with this as a formal SAR. You should 
consider such correspondence on a case by case basis. 


Comment: This needs to make clear that although dealing with a request as normal 
business is permissible, the data controller still needs to be mindful of the 
requestor’s right to their personal data within one month. 


Page 40: What should we do if the request involves information about other 
individuals? 


Step 2 - Has the other individual consented? 

In practice, the clearest basis for justifying the disclosure of third-party information 
in response to a SAR is that the third party has given their consent. It is therefore 
good practice, where possible, to ask relevant third parties for consent to the 
disclosure of their personal data in response to a SAR. However, you are not obliged 
to ask for consent. Indeed, in some circumstances, it may not be appropriate to do 
so, for instance if it would involve a disclosure of personal data about the requester 
to the third party. 


Comment: While I no longer handle subject access requests, I’ve always been of 
the view that the making of a SAR should be a private matter (between the data 
subject and the data controller). For this reason, I would not want to identify a data 
subject (who has made the SAR) when trying to secure consent from a third party as 
described above. However, depending on the nature of the request (and the 
relationship between the data subject and the third party): 


e the very act of seeking consent from a third party may (inadvertently) identify 
the data subject and the fact that s/he has made a SAR (which, I feel, the 
third party isn’t necessarily entitled to know) 

e in cases where there is a dispute between the data subject and third party 
(which the data controller may not be aware of) or the nature of the data 
subject’s relationship with the third party, the data subject may not want a 
data controller to contact the third party on the basis that, even if attempts 
are made to anonymise the data subject, contacting the third party and 
identifying the information in scope of the request will inevitably identify the 
data subject 


e the third party may choose to ask the data controller who the data subject is 
before making their decision about whether they will provide consent. For 
example, they may be happy for one person (e.g. such as a close work 
colleague) to have sight of their personal data, but not someone who they 
barely know or with whom they may have experienced a difficult or abusive 
relationship. 


I think it would be useful to have clarity on such potential conflicts in this guidance. 


Page 40: Management information 

An exemption applies to personal data that is processed for management forecasting 
or management planning in relation to a business or other activity. Such data is 
exempt from the right of access to the extent that complying with a SAR would be 
likely to prejudice the conduct of the business or activity. 


Comment: If you take the ICO’s example: 


Example 

The senior management of an organisation are planning a reshuffle. 
This is likely to involve making certain employees redundant, and this 
possibility is included in management plans. Before the plans are 
revealed to the workforce, an employee makes a subject access 
request. In responding to that request, the organisation does not have 
to reveal their plans to make the employee redundant, if doing so 
would be likely to prejudice the conduct of the business (perhaps by 
causing staff unrest before the management’s plans are announced). 


In this scenario, it is reasonable to assume that by making a data subject aware that 
his her/personal data has been withheld under this particular exemption is likely to 
suggest to the data subject that there are plans to make employees (possibly 
him/her) redundant. 


I’ve not had to apply this exemption, but it would be helpful if the guidance 
explained whether a data controller is required to inform a data subject if it has 
applied this exemption. 


